Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hash lock all images #8

Open
19 of 37 tasks
daurnimator opened this issue May 27, 2020 · 4 comments
Open
19 of 37 tasks

Hash lock all images #8

daurnimator opened this issue May 27, 2020 · 4 comments
Labels
security

Comments

@daurnimator
Copy link
Member

daurnimator commented May 27, 2020
edited by KellerFuchs
Loading

Many of our resources only select a particular image tag; rather than an exact hash.

  • Use kustomization image field to hashlock
  • Check any operators for additional images they may bring in
kubectl get pods --all-namespaces -o json | jq '.items[].spec.containers[].image' | grep -v sha256 | sort -u
  • digitalocean/do-csi-plugin:v4.2.0
  • docker.io/cilium/cilium:v1.10.4
  • docker.io/cilium/operator:v1.10.4
  • docker.io/coredns/coredns:1.8.4
  • docker.io/digitalocean/arp-flusher:v0.0.2
  • docker.io/digitalocean/do-agent:3.11.0
  • docker.io/digitalocean/do-csi-plugin:v4.4.1
  • hashbang/hashbangctl
  • k8s.gcr.io/sig-storage/csi-attacher:v3.5.0
  • k8s.gcr.io/sig-storage/csi-provisioner:v3.2.1
  • k8s.gcr.io/sig-storage/csi-resizer:v1.5.0
  • k8s.gcr.io/sig-storage/csi-snapshotter:v6.0.1
  • nginx:1.21.0
  • quay.io/jetstack/cert-manager-cainjector:v1.11.2
  • quay.io/jetstack/cert-manager-controller:v1.11.2
  • quay.io/jetstack/cert-manager-webhook:v1.11.2
  • registry.k8s.io/kube-proxy:v1.24.12
  • registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.0
  • 42wim/matterbridge:1.26.0
  • drgrove/mtls-server:v0.20.0
  • drgrove/wkd:v2.2.2
  • eu.gcr.io/k8s-artifacts-prod/external-dns/external-dns:v0.13.4
  • ghcr.io/dexidp/dex:v2.36.0-distroless
  • ghcr.io/ergochat/ergo:v2.11.1
  • hashbang/book:latest
  • hashbang/hashbang.sh:latest
  • hashbang/webirc:latest
  • k8s.gcr.io/sig-storage/csi-node-driver-registrar
  • k8s.gcr.io/sig-storage/snapshot-controller
  • k8s.gcr.io/sig-storage/snapshot-validation-webhook
  • kiwigrid/k8s-sidecar:1.24.0
  • postgrest/postgrest:v11.0.1
  • quay.io/argoproj/argocd:v2.7.2
  • redis:7.0.11-alpine
  • redis:7.0.5-alpine
  • registry.k8s.io/ingress-nginx/controller:v1.7.1
  • thatonecalculator/calckey:v13.1.4.1
@daurnimator daurnimator mentioned this issue May 27, 2020
Open
@daurnimator

This comment has been minimized.

Sign in to view
@daurnimator
Copy link
Member Author

prometheus-operator/prometheus-operator#3262

@KellerFuchs
Copy link
Member

Updated the list

@KellerFuchs
Copy link
Member

KellerFuchs commented May 15, 2023
edited
Loading

From what I can tell, the only things which aren't hash-locked are either:

  • hashbangctl, or
  • DO-managed things (network, storage, ingress, etc.)

I don't think it makes sense to make giant kustomize files to set hashes on the latter, but I'll do something about hashbangctl.

PS: "Presumably doesn't make sense" since DO manages what's precisely deployed in those cases, and we need to trust DO anyhow.

@renovate renovate bot mentioned this issue Aug 23, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@daurnimator @RyanSquared @KellerFuchs